What the government isn't doing

State attorneys general have also made several moves to police tech companies’ privacy practices. Among the most notable: a 38-state, $7 million settlement with Google last year over the company’s since-abandoned practice of having cars taking pictures for its Street View service also identify and capture data from nearby Wi-Fi networks.

In Washington, by contrast, things are moving at dial-up speed.

Congress has been unable for years to write any serious privacy legislation. What little there is has fallen victim to partisan bickering, a slew of tech company lobbying and conservative interests fighting any form of regulation over the private sector’s use of data.

In his first term, Obama launched a series of discussions through the Commerce Department that led to the proposed Consumer Privacy Bill of Rights, a set of six principles to guide companies when handling personal data, including respecting the context in which it was obtained and allowing individuals to correct erroneous information.

“American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online,” Obama said in releasing the guidelines in February 2012.

But the White House never made a follow-up push with Congress. There was some potential for bipartisan collaboration; Sens. John Kerry (D-Mass.) and John McCain (R-Ariz.) had earlier worked together on a similar framework. But “the White House was unable to pick up where the story had left off,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center. “Apparently, they could wait.”

In fact, even as Obama vowed to safeguard consumer privacy, the White House repeatedly portrayed the big data revolution as a modern-day gold rush that could improve lives, boost the economy and create good jobs.

“Big Data is a Big Deal,” blared a March 2012 White House blog post announcing a $200 million Big Data Research and Development Initiative. An accompanying 13-page handout made only a glancing mention of privacy, for health records.

Obama’s political campaign was diving deep into data analytics, too, famously mining consumer databanks, voter surveys and social media to identify likely voters and push them to the polls.

Only after Edward Snowden’s first disclosures about NSA spying did Obama seem intent on reviving the privacy issue. He said on a couple of occasions that he was determined to pair discussions of alleged NSA overreach with a debate about the broader world of data-gathering.

“The challenges to our privacy do not come from government alone,” Obama said in January. “Corporations of all shapes and sizes track what you buy, store and analyze our data and use it for commercial purposes.”

Obama also commissioned counselor John Podesta to spend 90 days studying how data mining has affected privacy in both the public and the private sector. Podesta declined to comment for this story, but one former White House official said the Podesta project was, in part, meant to placate pro-privacy administration aides who had hoped for a tougher crackdown on NSA snooping.

“What comes out as ‘the administration position’ is highly contended internally,” said the ex-official, who asked not to be named. “Part of the reason the whole big data study is happening is as a counterbalance to those who had a sense the NSA really went way, way over the line.”

The Podesta report issued earlier this month called on Congress to take action now to crack down on data breaches, like the lapse that exposed the credit card numbers of tens of millions of Target customers over the holiday season. On privacy, though, the report recommended another round of discussion.

A handful of privacy bills are on the table in Congress, but none has made much headway. Among other things, the languishing bills would require companies to get customers’ permission before collecting or sharing information on their location; give consumers more control over the data collected by their cars; and expand online privacy protections for children.

McCain says legislation to control private-sector data collection would be a tougher lift than when he first proposed it three years ago. “It’s harder now, but one reason why we did it then and why it’s much more needed now is to try to give people some confidence in their ability to maintain their privacy,” he said.

Without a credible threat of legislative action, tech companies are unlikely to move voluntarily to tighten privacy protections, said Peter Swire, an adviser on privacy issues in both the Clinton and Obama administrations.

“Companies can justify expensive new privacy measures, if that’s better than potential legislation. [Otherwise,] it’s hard for them to self-impose strict privacy rules,” said Swire, who also served on Obama’s surveillance review group.

The Direct Marketing Association, an industry trade group, argues that industry self-regulation has worked well for decades. It’s also big business. The association released a study last fall estimating that the use of big data to shape marketing campaigns added $156 billion in revenue to the U.S. economy in 2012 alone.

The Rockefeller bill would give consumers the right to see and correct their files with data brokers or opt out of the system altogether. The DMA opposes the bill, said Rachel Nyswander Thomas, its vice president of government affairs. “It would very much impinge on this data-driven economy we’ve all come to enjoy,” she said.

PEN AND PHONE?

Regulatory agencies can sometimes be more nimble than Congress, and Obama has touted his desire to use his “pen and phone” executive branch power to get things done. But their actions in the privacy arena have also been sparse.

The Federal Trade Commission is way behind schedule on an analysis of commercial data brokers. And the agency is just starting to get up to speed on the universe of wired devices, known as the “Internet of Things.”

Instead of proposing regulation, the FTC is urging companies building connected devices to think carefully about data privacy as they’re developing their products.

“Risk to consumers could be minimized if companies would just give more serious thought to what data they really need and what they don’t,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection.

The FTC does have some enforcement power as well. In recent years, it has brought legal actions against dozens of organizations for violating consumer privacy rights. Most of those cases have flown under the radar, though the agency made headlines last week when it announced a settlement with the popular app Snapchat over concerns it misled users about the privacy of their communications.

As for the Consumer Privacy Bill of Rights, the White House’s outside tech advisers now believe that “ubiquitous” data collection may be rendering parts of it obsolete. With so many cameras, smartphones and new devices like Google Glass constantly collecting images, GPS location and other data, it no longer seems plausible that anyone can fully understand, let alone consent to, all the ways the flood of data about them is being used.

In a conference call with reporters earlier this month, Podesta said a “quick round of input” is needed on whether parts of the 2012 policy effort are still viable. “Some of the other elements of the Bill of Rights … may be under severe pressure in light of these new technologies,” Podesta said.

Indeed, even the concept of “consumer” privacy may now be off the mark. Back in 2012, the Obama administration focused largely on how companies treat data entered on a website or acquired during an online purchase. However, some of the trickiest policy challenges now stem from situations where the consumer is unaware of any transaction.

Privately owned license-plate readers capture the locations of millions of cars on public streets or shopping malls and upload that information to massive databases where it is for sale, with no government regulation.

Facial recognition software is approaching the same sophistication, creating the ability to build databases that could be used to track a person’s movements. Retailers, for instance, can use the technology to compare the faces of incoming customers to law enforcement mug shots. Or to flag VIP shoppers and text news of their approach to the store manager.

Some of those promoting and profiting from this technology believe they are protected by the First Amendment, since the courts have generally upheld the right to take and publish photos of scenes in public places. Utah ended up exempting the private sector from its rules on license plate data after two firms filed a lawsuit charging that the controls were unconstitutional.

”You have a recognized right to photograph anything that’s visible. To turn around and legislate how long you can retain those photos or with whom you may communicate that photography is clearly textbook First Amendment infringement,” said Todd Hodnett, chairman and founder of license plate tracking firm Digital Recognition Network. “I can’t imagine a world we would live in in which you get permission to photograph anything you can see with your eyes.”

The companies’ legal arguments might have some resonance with the current Supreme Court. But the Obama administration has also been quick to defend its right to regulate business in order to protect privacy.

Until the legal issues are resolved, private companies are likely to continue trying to find new ways to vacuum up every scrap of data they can find.

“The genius and the fury of capitalism is that everyone is trying to compete with each other about who can collect the most detailed information about consumers,” said Stanley, the ACLU policy analyst. “Where will it end? We have to put some rules in the road.”